Deploying with rbac disabled causes pilot to never deploy #386
Description
Is this a BUG or FEATURE REQUEST?:
BUG
Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?: Y
Bug:
Y/N
What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details
istioctl version
(not using istioctl binary)
kubectl version --client --short
Client Version: v1.9.2
Is Istio Auth enabled or not ?
Did you install the stable istio.yaml, istio-auth.yaml.... or if using the Helm chart please provide full command line input.
helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.rbacEnabled=false
What happened:
On both Minikube and on AKS, the pilot pod is in ContainerCreating status perpetually.
Doing kubectl describe ${PILOT_POD}, I see the last two entries are:
Warning FailedMount 14m (x23 over 45m) kubelet, aks-agentpool-22784792-1 MountVolume.SetUp failed for volume "istio-certs" : secrets "istio.istio-pilot-service-account" not found
Warning FailedMount 12s (x20 over 43m) kubelet, aks-agentpool-22784792-1 Unable to mount volumes for pod "istio-pilot-556cf655c9-wdqsk_istio-system(db521473-6b3d-11e8-bed7-0649e3aaad46)": timeout expired waiting for volumes to attach/mount for pod "istio-system"/"istio-pilot-556cf655c9-wdqsk". list of unattached/unmounted volumes=[istio-certs]
This causes a helm install to time out (waiting forever for the pilot to be ready).
What you expected to happen:
I expect all Istio components to be running after running the helm install command above (with RBAC disabled) on AKS and minikube.
It seems it's trying to mount a service account as a secret, which doesn't really make sense to me. It can be seen in the pilot's Deployment yaml file:
volumes:
- name: config-volume
configMap:
name: istio
- name: istio-certs
secret:
secretName: "istio.istio-pilot-service-account"
The Pilot's service account is wrapped in a check for rbacEnabled, so it will never be created.
{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
...
metadata:
name: istio-pilot-service-account
namespace: {{ .Release.Namespace }}
...
{{- end }}
How to reproduce it:
Start minikube with:
minikube start \
--vm-driver="hyperv" \
--hyperv-virtual-switch="Ethernet Virtual Switch" \
--memory 4096 \
--extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \
--extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" \
--extra-config=apiserver.Admission.PluginNames=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--kubernetes-version=v1.9.4
Then run the helm install command from the Istio 0.8.0 release folder:
helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.rbacEnabled=false